[strongSwan] DH group ECP_256 unacceptable, requesting ECP_256

Houman houmie at gmail.com
Fri Oct 16 09:42:39 CEST 2020 

Hi Tobias,

I came across the same issue that someone else had raised with you 10
months ago. Unfortunately it seems he was right about the bug.
https://wiki.strongswan.org/issues/3290

This is what I'm getting:
Oct 16 07:36:48 de-fsn-x charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.9.0, Linux 5.4.0-1028-aws, x86_64)
Oct 16 07:36:48 de-fsn-x charon: 00[KNL] unable to create IPv4 routing
table rule
Oct 16 07:36:48 de-fsn-x charon: 00[KNL] unable to create IPv6 routing
table rule
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG]   loaded ca certificate "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3" from
'/etc/ipsec.d/cacerts/chain.pem'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Oct 16 07:36:48 de-fsn-x ipsec[1855]: /usr/libexec/ipsec/charon: symbol
lookup error: /usr/lib/ipsec/plugins/libstrongswan-wolfssl.so: undefined
symbol: mp_read_unsigned_bin
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Oct 16 07:36:48 de-fsn-x ipsec[506]: charon has died -- restart scheduled
(5sec)
Oct 16 07:36:48 de-fsn-x ipsec[506]: charon refused to be started
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Oct 16 07:36:48 de-fsn-x charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'

This is how I compiled everything:

git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl/
./autogen.sh
./configure --disable-crypttests --disable-examples --enable-keygen
--enable-rsapss --enable-aesccm --enable-aesctr --enable-des3
--enable-camellia --enable-curve25519 --enable-ed25519 --enable-curve448
--enable-ed448 --enable-sha3 --enable-shake256
make
make check
make install
mv /usr/local/lib/libwolfssl.* /usr/lib/
cd ..
wget https://download.strongswan.org/strongswan-5.9.0.tar.bz2
tar xjvf strongswan-5.9.0.tar.bz2
cd strongswan-5.9.0
./configure --prefix=/usr --sysconfdir=/etc --enable-eap-radius
--enable-eap-identity --enable-systemd --enable-swanctl --enable-gcm
--enable-aesni --enable-wolfssl
make install


Thank you,
Houman


On Thu, 15 Oct 2020 at 19:31, Houman <houmie at gmail.com> wrote:

> Hello Tobias,
>
> Thank you for your reply.  Excellent, now I understand.
>
> If I compile WolfSSL into /usr/local/lib and then compile StrongSwan
> with --enable-wolfssl. Will StrongSwan automatically pick up the latest
> WolfSSL lib like that?
> Or do I need to set a path as well?
>
> Many Thanks,
> Houman
>
> On Thu, 15 Oct 2020 at 16:53, Tobias Brunner <tobias at strongswan.org>
> wrote:
>
>> Hi,
>>
>> > Is that another plugin that I need to compile?
>>
>> Yes, you need one of the third-party crypto plugins (openssl, wolfssl,
>> botan).  See [1] for the list of all algorithms and the plugins that
>> provide them.
>>
>> Regards,
>> Tobias
>>
>> [1]
>> https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201016/70907bfe/attachment.html>

More information about the Users mailing list